OPCC Privacy Notice

In this Privacy Notice we have detailed what information we collect from and about you, what we do with it and who it might be shared with.

Your Right to be Informed

You have the right to be informed and this is why we have provided you with this Privacy Notice, which is also called privacy information. It lets you know that we will comply with the regulations and want to foster trust and good relations with you.

In summary:

You have the right to be clearly and concisely informed about the collection of your personal data and what we do with your personal data. This is a key transparency requirement under the GDPR.

We must provide you with information including: our purposes for processing your personal data, how long we keep your personal data (i.e. the retention periods) and who it will be shared with. We call this ‘privacy information’ and this is this within this Privacy Notice.

We must provide privacy information to you at the time we collect your personal data from you and this is why the PCC’s email address has an automatic acknowledgement and contains a link to this Privacy Information Notice.

If we obtain personal data from other sources – third-parties – then we must provide you with privacy information within a reasonable period of obtaining the data and no later than one month.

There are a few circumstances when we do not need to provide you with privacy information, such as if you already have the information or if it would involve a disproportionate effort to provide it to you.

The information we provide to you must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

We provide privacy information to people at different times and in a number of formats, such as in an email reply, on the PCC’s website and on our telephone recorded message.

If you have any feedback on how effective the delivery of our privacy information is then we welcome your comments. (See Contact us).

We regularly review, and where necessary, update our privacy information. If we have any new uses of your personal data then we will bring it to your attention before we start the processing.

Getting the right to be informed correct helps us comply with other aspects of the GDPR and to build trust with you. Getting it wrong means that we may be fined and can also lead to reputational damage for us.

We are the office of the Avon and Somerset Police & Crime Commissioner (the OPCC) which is the organisation in control of your personal information (the Data Controller). We obtain, hold, use and disclose (pass on) information about people, the steps taken to make sure that it is kept safe and secure, and we also explain your rights to you about your personal information that we hold.

The PCC is registered with the Information Commissioner as a ‘Data Controller’ and we make sure that the office of the PCC handles all personal information in accordance with the law. The PCC (and office of the PCC) takes this responsibility very seriously and takes great care to ensure that personal information is handled appropriately in order to have the public’s trust and confidence in the PCC and the office of the PCC.

* ‘Special categories’ of personal data, as defined within the General Data Protection Regulation, includes: racial or ethnic origin, political opinions, religious or philosophical beliefs, health, sex life or sexual orientation, or trade union membership, and genetic data and biometric data.

Processing of special categories of personal data for the purpose of uniquely identifying you as an individual (a Data Subject) is prohibited, with exceptions which include: If you have given explicit consent to its processing; Processing is necessary for the purposes of carrying out obligations and exercising specific rights of the Data Controller – the PCC - or of you, the Data Subject in the field of employment and social security and social protection law and providing for appropriate safeguards for the fundamental rights and the interests of you, the data subject; Processing is necessary to protect the vital interests of you as the data subject, or of another natural person where you the data subject is physically or legally incapable of giving consent; Processing relates to personal data which is already in the public domain by you the Data Subject; Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; and Processing is necessary for reasons of substantial public interest.

Elected Local Policing Bodies (Specified Information Order 2011 and amendment order 2012, S1 2012 / 2479)

Police Pension Fund Regulations 2007

Police Pensions Act 1976

Freedom of Information Act 2000

Police Reform Act 2002

Employment Rights Act 1996

The Equality Act 2010

The PCC’s role and services provided include:

Communication from and to members of the public;

Management of Freedom of Information requests;

Management of complaints;

Management of public relations, journalism, advertising and media;

Vetting;

Commissioning Services;

Management of finance;

Internal review, accounting and auditing;

Training;

Property management;

Insurance management;

Vehicle and transport management;

Payroll and benefits management;

Management of information technology systems;

Recruitment;

Sports and recreation;

Procurement;

Planning;

System testing;

Security;

Performance management; Legal services;

Health and safety management;

HR management;

Information provision;

Licensing and registration;

Pensioner administration;

Staff administration, occupational health and welfare;

Research, including surveys1;

1 The PCC consults the public and undertakes surveys to inform decision-making. The PCC may contact individuals, such as victims of crime or those reporting incidents, and ask them to give us their opinion of the service provided to the public by the PCC’s office, Police or other commissioned service providers. The PCC uses the information given to improve services wherever possible, including that of Avon & Somerset Constabulary. The PCC may use a private company to undertake such surveys on the PCC’s behalf with strict controls to protect the personal data of those involved.

In the majority of times we do not share your information with any organisation or person outside of the PCC’s office. For example, if you contact the PCC about an issue within the remit of the PCC then the PCC will reply directly to you, keeping your personal information within the PCC’s office. However, in some circumstance we need to share your personal information with other Organisations (other Data Controllers) that we work with, including:

The Police, mainly Avon and Somerset Constabulary

Members of Parliament (MP)

Local Authorities – County and District Councils

The Home Office

Community groups

Charities and other not for profit organisations

Contractors

Commissioned Service Providers

We may need to share your personal data that we hold with these organisations so that they can carry out their responsibilities. For example we may contact the Police if your enquiry is about an operational policing matter, under the direction and control of the Chief Constable and strictly outside of the PCC’s remit. Another example is when an MP writes to the PCC about a constituent and gives personal information about that resident. The PCC may first have to make enquiries with the Police before replying to the MP. If a third-party seeks information from us about an individual, for example, a Solicitor on behalf of a Client, then we will seek written consent from the individual first before disclosing any personal information. If we and the other Data Controllers listed above are processing your personal information jointly for the same purposes, then we and the other Data Controllers may be “joint Data Controllers” which means that we are all collectively responsible to you for your personal information. Where we are processing your personal data for our own independent purposes then we are independently responsible to you and if you have any questions, wish to exercise your rights or want to raise a complaint, then you can write to us. (See Contact us).

We know that your personal information belongs to you and not us. That’s why when you, or a third party share your personal information with us we make sure that we keep it private and safe.

In order to carry out the role and duties of the PCC we may disclose personal information to a wide variety of recipients in any part of the world, including those from whom personal information is obtained (see Who might we share your information with). This may include disclosures to the Police and other law enforcement agencies, other PCCs, partner agencies working on crime reduction initiatives, partners in the Criminal Justice arena, Victim Support, and to bodies or individuals working on our behalf such as IT contractors or survey organisations. The PCC may also disclose to other bodies or individuals where necessary to prevent harm to individuals.

Where required, or appropriate to do so, personal data may be shared with Avon & Somerset Constabulary (including the Chief Constable, officers, staff, agents or appointed volunteers) to facilitate and support the PCC’s role and remit and to deliver applicable statutory functions.

Disclosures of personal information will be made on a case-by-case basis, using the personal information appropriate to a specific purpose and circumstances, and with necessary controls in place.

Some of the bodies or individuals to which the PCC may disclose personal information may be situated outside of the European Union - some of which do not have laws that protect data protection rights as extensively as in the United Kingdom. If the PCC transfers personal information to such territories, proper steps will be taken to ensure that it is adequately protected as required by the Act.

PCC will also disclose personal information to other bodies or individuals when required to do so by, or under, any act of legislation, by any rule of law, and by court order. This may include disclosures to the IOPC, Police, Action Fraud and the Home Office.

The PCC may also disclose personal information on a discretionary basis for the purpose of, and in connection with, any legal proceedings or for obtaining legal advice.

How is personal information handled?

We will handle personal information fairly and lawfully with appropriate justification. We will strive to ensure that any personal information used by or on behalf of us is of the highest quality in terms of accuracy, relevance, adequacy and non-excessiveness (minimal), is kept as up-to-date as required, is protected appropriately, and is reviewed, retained and securely destroyed when no longer required. Your rights will also be respected.

Rest assured, robust security has always been a crucial part of everything we do. The new rules make sure that all organisations are set up to protect any personal data held and to act appropriately if something goes wrong.

We take the security of all personal information very seriously and we will comply with the law for safety and security.

We will make sure that appropriate policy, training, technical and procedural measures are in place, including audit and inspection, to protect all personal information is secure from data loss and misuse and only permit access to your information when there is a reason within the PCCs role and remit to do so and then under strict guidelines as to what use may be made of any personal information. These procedures are continuously managed and enhanced to ensure up-to-date security.

We have a retention time for different types of personal information. This is listed in the Retention Policy.We keep your personal information as long as is necessary for the particular purpose or purposes for which it is held. Personal information is retained, reviewed and deleted in accordance with agreed retention times which are subject to review.

This can also be found on the PCC’s website, Record Retention Scheme Policy:

The new regulation supports your right to have your privacy respected and your data protected. It is designed to give you confidence that the personal information we hold about you is accurate, up to date and well managed and to give you easier access to that information if you wish to check or change it.

The most commonly exercised right is that used by individuals to obtain a copy, subject to exemptions, of their personal information processed by the PCC. Details of the

application process, known as the ‘Right of Access’ can be found from the Information Commissioner’s website at: https://ico.org.uk/for-the-public/personal-information/ . Alternatively you may contact the PCC’s office (See Contact Us) and we will provide a copy of your personal data that is currently undergoing processing. This is free of charge. If the request is considered excessive or for any further copies requested by you, we will either charge a reasonable fee based on our administration costs or we may refuse the request and give reasons for doing so. We will reply without delay and we will use all reasonable measures to verify your identity if you request access to your personal information and we will send a final response within one month of receiving the request.

We want to make sure that your personal information is accurate and not out of date.

You have the right to ask us for the rectification of inaccurate personal information concerning you. Taking into account our purposes for the holding and processing of your data, you have the right to have incomplete personal information completed, including any supplementary statement you wish to make for us to hold.

Your request should be sent in writing to the Office of the PCC and we will reply within one month of receiving your request. (See Contact us).

You have the right to ask us to erase your personal information and we will do this without undue delay where your personal data is no longer necessary for the purpose that we were collecting and holding or processing it. This is subject to compliance with any legal obligation for us. We will also inform any third-party if we have shared your personal information, to inform them of the erasure.

You have the right to ask us for a restriction on the processing of your personal information if it is inaccurate, unlawful or we no longer need your personal information but we are required by you to store the data regarding a legal claim, or you object to our processing and whilst this is reviewed.

We can continue to store your personal information but we will be restricted to the ways that we can use it.

Your request should be sent in writing to the Office of the PCC and we will reply within one month of receiving your request. (See Contact us).

You have more access and control over what happens to your personal information.

You have the right to receive your personal data which you have provided to us and you have the right to directly transmit your personal data to another Data Controller (an organisation that controls personal information) without undue delay from us. This is only where you have given consent or contract for us to handle your personal information and the processing that we do is carried out in an automated way. This doesn’t apply where we are acting under official authority or in the public interest.

You have the right to object to us on grounds relating to your particular situation, at any time, to the processing of your personal data concerning you which relates to where processing is necessary for the performance of a task carried out in the public interest or official authority for us; or provides the legal foundation of legitimate interests of us. We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Please note that we do not do automated decision-making or profiling. However, for completeness we want to confirm this general right.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right doesn’t apply if it is necessary for entering into, or performance of, a contract between you and us as the Data Controller; or it is authorised by a Union or Member State law to which our Data Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or it is based on your explicit consent.

You can ask the Information Commissioner to make an assessment if you believe that you have been adversely affected by the handling of your personal information by us or if you believe that we have not complied with the requirements of Data Protection Law. You can directly contact the Information Commissioner using the contact details below.

Generally if you have any concerns about the way that your personal information is handled by us or the lawfulness, fairness or quality (accuracy, relevance, non-excessiveness) of your personal information then you are welcome to raise them with us in the first instance, in order to allow us to try and address your concerns. (See Contact us).

The Information Commissioner is the independent regulator responsible for enforcing Data Protection regulations and can provide useful information about the requirements and your rights. The Information Commissioner’s Office may be contacted in the following ways:

Post: The Information Commissioner’s Office,

Wycliffe House,

Wilmslow,

Cheshire,

SK9 5AF

Telephone: 0303 123 1113 (local-rate) or 01625 545 745 if you prefer to use a national-rate number.

In order to carry out the purposes described under section 1 above the PCC may obtain, use and disclose (see section 7 below) personal information relating to a wide variety of individuals including the following:

Staff including volunteers, agents, temporary and casual workers;

Suppliers;

Complainants, correspondents and enquirers;

Relatives, guardians and associates of the individual concerned;

Advisers, consultants and other professional experts;

Offenders and suspected offenders;

Witnesses;

Victims;

Former and potential members of staff, pensioners and beneficiaries;

Members of Parliament;

Local Authority employees;

Councillors;

Other individuals and members of the public, necessarily identified in the course of PCC enquiries and activity.

The PCC will only use appropriate personal information necessary to fulfil a particular purpose or purposes. Personal information could be information which is held on a computer, in a paper record such as a file, as images, but it can also include other types of electronically held information such as CCTV images.

GDPR and what this means for youThe General Data Protection Regulation (GDPR) is a new law that covers data protection and privacy of individuals and comes into effect from 25 May 2018. The processing of personal data is governed by legislation relating to personal data which applies in the United Kingdom including the GDPR and other legislation relating to personal data and rights, such as the Human Rights Act.

The first principle of data protection is that personal information must be processed fairly and lawfully. We have provided information for you in this Privacy Notice about:

who we are (who the Data Controller is);

the purpose for which your personal information will be used (processed); and

Subject to the law, we’ll monitor or record and retain your telephone calls, texts, emails, social media posts and other communications in relation to your dealings with us. We’ll do this for regulatory compliance, self-regulatory practices, crime prevention and detection, to protect the security of our communications systems and procedures, to check for obscene or profane content, for quality control and staff training and when we need to see a record of what’s been stated. We aim to communicate and correspond efficiently and effectively with you and to assist the role and remit of the PCC.

Avon and Somerset Police and Crime Commissioner’s website puts small files (known as "cookies") onto your computer to collect information about how you browse the site.

Cookies are used to:

display a cookie law notice

measure website usage (Google Analytics)

maintain data between form pages

Cookies are not used to identify you personally.

First party cookies

Name: cc_cookie_accept

Purpose: Shows / hides the cookie banner at the top of the home page

Expires: When you close your browser

Name: electionpopup

Purpose: Shows/hides the pop up banner from previous PCC elections

Expires: When you close the browser

Third party cookies

We use third party cookies to improve our online services. These cookies enable us to gather information about users who access our site and what actions they take. They also allow us to obtain feedback from users and work with partners to provide the best possible service.

Google don’t collect or store your personal information (for example your name or address) so this information can’t be used to identify who you are. We don’t allow Google to use or share our analytics data.